cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Di_Junior
Di_Junior inside General Topics 6 hours ago
views 21 2

Managed Security Service Provider using Check Point Solutions

Dear MatesWe wish to become a MSSP as such, we are in the process of looking into different solutions. Since we have a great sucess story with Check Point, we are considering to join this new journey with Check Point.I would like to know which Check Point Product/Technology we could use in order to start providing security services to our customers. I was thinking of VSX, and create different contexts for each customer.  Is there anything else we should look at? Thanks in advance
Gaurav_Pandya
Gaurav_Pandya inside General Topics 6 hours ago
views 4742 17 17

Healthcheck Script

Hi All,There is readily available script for Gaia based system on checkpoint. It checks almost all parameters. May be some are aware of this but who are unaware, it is very useful script.You can refer sk121447 and download the readily available Health check Script. It is very useful and measure all the required parameters.Hope This will be helpful.
Manoj_Tiwari
Manoj_Tiwari inside General Topics 7 hours ago
views 7143 21 2

ISP Redundancy (load sharing) issue in R80.10

Recently I have setup the checkpoint firewall 5400 series Gaia R80.10 in cluster environment. Where I have to configure the ISP redundancy in load sharing mode. But after it goes on live, we have faced the high CPU utilization issue, some traffic has been dropped without hitting in policy, first packet isn't sync packet  etc issues.I have configured the ISP redundancy with reference of R77.30 but I don't even find the any guide and documentation for the ISP redundancy in R80.10.My question is:-does anybody implemented the ISP redundancy in R80.10?-If checkpoint doesn't provide any documentation for that, is it supported or not in R80.10?Thanks,Manoj
Jessie_Rich
Jessie_Rich inside General Topics 10 hours ago
views 188 5

Internal firewall anti-spoofing

I have 2 networks separated by a firewall and then a internet facing firewall. I am getting anti-spoofing alerts on traffic passing through my internal firewall from the internet.Topology looks something like thisNetwork-A >>> InternalFW >>>> Network-B >>>>> internetFW >>>>>> InternetOn the Network-B facing interfaces on both firewalls I have only my Network-B networks defined in the topology. I assume on the InternalFW I need to add the internet to the topology on the interface connected to Network-B? To not mess up anti-spoofing on the internetFW I assume I would create separate network groups for my topology on the internal and internet firewalls?Thank you for any advice you can give.
Daniel_Taney
Daniel_Taney inside General Topics 10 hours ago
views 2051 11

Hyperthreading Best Practice Recommendation For Management / SmartEvent Open Servers?

Is there a best practice recommendation for whether Hyperthreading should be enabled on an R80.10 Open Server if it is solely used as a SMS or SmartEvent server? I found lots of tips when it comes to HT on Gateways, but didn't see anything regarding Management.Thank You!
Srinivasan_N
Srinivasan_N inside General Topics 11 hours ago
views 31259 7 3

Check Point Inspection points-iIoO

Hi Experts, Thank you all for helping us. Could you guys please assist on iIoO - Checkpoint Inspection points. Even Checkpoint doesn't provide much info (Shown below). Like where Anti-spoofing/Access-rule/NAT/Routing is applied @ each stage of iIoO. Please assist.
Michael_Goessma
Michael_Goessma inside General Topics 11 hours ago
views 18

fw monitor and cppcap on VSX R80.20 (JHF 91)

I just want to share my findings on fw monitor and cppcap on a VSX R80.20 JHF 91 environment:fw monitor just segfaults if I use the -v <VSID> switchfw monitor just ignores the VS context if running without -v switch and captures packets in all VScppcap does not work in VSX R80.20 JHF 91 with acceleration enabled, I had to do a fwaccel off in the specific VS to capture trafficI may be wrong. But if not, some documents should be corrected, including Heiko's excellent cheat sheet... 
TD_Thorwald
TD_Thorwald inside General Topics 11 hours ago
views 41 2

Checkmates/Checkpoint websites password

How do I change my password for checkpoint checkmates, and the checkpoint website(s) in general?I don't find that option in the usual places.
Muazzam
Muazzam inside General Topics 12 hours ago
views 154 3

NAT Exhaustion - Hide NAT failures

Environment:MDS R80.20, Gateway R77.30 T216, Hardware 13800Cores are not overloaded, stays around 30-60% We see a lot a "hide NAT failure" messages in firewall logs. User reports latency and page not found at that time. Adding additional NAT addresses on the top of existing hide NAT addresses resolves the issue but my concern is the output of these commands that I am using to check the number of times each of my hide NAT is used. [Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0a165032[Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0b184938[Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0c105793Note: No errors messages or user complains at this point. Also note that these numbers have not changed uch in last few days, since the time we had the issues.Are these numbers look real? If we divide the output by 2, still we are talking about 50K to 90K range that is theoretically not possible.Is it possible that some connections got stuck, not getting released or something?
Khalid_Aftas
Khalid_Aftas inside General Topics 13 hours ago
views 223 5

R80.20 Ipsec VPN issues

Hi, After upgrade to r80.20 in multiple gateway, we started having issue with a lot of VPN that were running without problem in 80.10 case 1 : VPN with partner down, i had to make him disable NAT-T option for it to work again.Case 2 (most critical) : Amazon Web Services, once phase 2 proposition from aws come, CP accept it, then decide to propose again another negotiation, during few minutes complete cut out of the traffic. Other cases in other GW with simlar issues. Opened a case in the TAC, they made me install some special hotfix, with no succes. What changed in R80.20 regarding vpn ? i hope there is a solution for these issues. [CPFC]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[MGMT]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[FW1]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87HOTFIX_R80_20_JHF_T87_190_MAINHOTFIX_R80_20_JHF_T87_174_MAINHOTFIX_R80_20_JHF_87_90_002_MAINFW1 build number:This is Check Point's software version R80.20 - Build 100kernel: R80.20 - Build 001[SecurePlatform]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPinfo]No hotfixes..[DIAG]No hotfixes..[PPACK]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CVPN]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPUpdates]BUNDLE_R80_20_JUMBO_HF_MAIN Take: 87
ponravoth
ponravoth inside General Topics yesterday
views 15

CheckPoint redirect to IP address 62.0.58.94

Hello support,Please advise us, It is normal event for Check Point or suspicious event? After checkpoint prevent will redirect to IP address 62.0.58.94. What's IP address? Best Regards,Ravoth
MattDunn
MattDunn inside General Topics yesterday
views 98 3

Thoughts on a random cluster problem?

Hi all,Every now and then a customer (same customer) emails me to say "the firewall has gone down again and killed our replication jobs".  After several weeks with no problem, this happened again twice yesterday.  I found logs in both SmartLog and /var/log/messages which match the times of the connectivity drop.  Interestingly it only seems to moan about VLAN 52, so the physical eth3 interface and the other VLAN's on that interface appear to be OK.  One thing to note is that the cluster members are at different sites, so my initial thought is some kind of networking issue?  Possibly latency if the leased line is being saturated?  I've asked the people that support the network to look in to this.  Does anyone else have any different thoughts on what could be causing VLAN 52 to lose comms between the cluster members?Thanks,Matt Sep 18 16:28:01 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State change: ACTIVE -> ACTIVE(!) | Reason: Interface eth2 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State remains: ACTIVE! | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state STANDBY -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_0];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the clusterSep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-100102-1: Failover member 1 -> member 2 | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:22 2019 xxxxxxxx-fwa kernel: [fw4_1];check_other_machine_activity: Update state of member id 1 to DEAD, didn't hear from it since 930450.9 and now 930453.9Sep 18 16:28:22 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-216400-1: Remote member 2 (state STANDBY -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADSep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state LOST -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-114904-1: State change: ACTIVE(!) ->  ACTIVE | Reason: Reason for ACTIVE! alert has been resolvedSep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the cluster Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state STANDBY -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State change: ACTIVE -> ACTIVE(!) | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:43:31 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the clusterSep 18 16:43:31 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-100102-1: Failover member 1 -> member 2 | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:43:52 2019 xxxxxxxx-fwa kernel: [fw4_1];check_other_machine_activity: Update state of member id 1 to DEAD, didn't hear from it since 931378.3 and now 931381.3Sep 18 16:43:52 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-216400-1: Remote member 2 (state STANDBY -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADSep 18 16:45:25 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-114904-1: State change: ACTIVE(!) ->  ACTIVE | Reason: Reason for ACTIVE! alert has been resolvedSep 18 16:45:25 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state LOST -> STANDBY) | Reason: There is already an ACTIVE member in the cluster
guesstimation
guesstimation inside General Topics yesterday
views 80 2

Cluster re-sync

Hello, During network maintenance we have to break Sync link between CP HA cluster nodes. After we reconnect our Sync, how do we ensure/verify that cluster nodes are in Sync? Will it recognize that it lost number of Sync packets and will try to resend them or no? Do we need to somehow force re-sync?
6dd15084-b97a-4
6dd15084-b97a-4 inside General Topics yesterday
views 93 2

Log server r80.10

 Hello gents.  we have 4 R77.30 Cluster config gateway's & we wanted to create 1 central log server with r80.10, we wanted to take backup of at least 3 monts or more.   can you please guide me process.to do that. also hardware capability for the server. 
Valeri_Loukine
inside General Topics yesterday
views 13122 75 2
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again.  Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game?  Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well.  "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!