Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

C_M inside General Topics an hour ago
views 102 4

Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Runnning this command is supposed to show top connecting ips.I'm having trouble with converting the hex to ip addresses. Any success? I'm using sites and they are just giving me incomplete numbers.
inside General Topics 4 hours ago
views 1179 14 8

sk164752 - Installing DOOM on Gaia

Hello everyone, I work at one of the Checkpoint TACs. We had a little internal contest to see if we could get doom running on a Checkpoint firewall for fun. I managed to get it done and just finished the SK. Feel free to take a look at sk164752 for how it was done. It is general access so anyone should be able to view it.   Needless to say do not try this in production, you are increasing the attack surface of the operating system significantly by doing so.   Edit: It looks like management decided to make the SK internal, sorry guys. Edit2: They did ok it to be posted on checkmates though, Please see below.   Symptoms You want to run linux applications on Gaia. You need to defeat the minions of hell. Solution Please note this procedure is not supported and not secure Under no circumstances should this be done in a production environment This is a proof of concept and for fun Pre-requisites An R80.30 Gateway running the 3.10 kernel as per sk152652 A bootable Ubuntu Live image - link More spare time than sense Installing a Debian chroot Boot the R80.30 3.10 gateway from the Ubuntu Live Image Ensure the live OS has an internet connection Once booted installed debootstrap sudo apt update     sudo apt install debootstrap Create a working environment and mount the Gaia file system mkdir /home/ubuntu/installdir sudo mount /dev/mapper/vg_splat-lv_current /home/ubuntu/installerdir We will be installing Debian Jessie in the chroot, this is because Jessie runs Kernel 3.16 which is very close to the gaia Kernel 3.10. This will help ensure things run smoother. Create the chroot environment, if you choose another chroot OS be sure to change the path sudo mkdir /home/ubuntu/installdir/chroot sudo mkdir /home/ubuntu/installdir/chroot/jessie Use the following command to install Jessie this may take some time sudo debootstrap --include locales --arch amd64 jessie /home/ubuntu/installdir/chroot/jessie Once complete reboot and remove the Ubuntu installation media Prepare the Chroot To allow the chroot to properly communicate with the hardware of the machine we need to bind several mount points in the chroot, since this needs to be done at every boot I will provide a script below that binds these mounts. I placed this in the home directory of the admin user for ease of use. Start of script #!/bin/bash mount --bind /proc /chroot/jessie/proc mount --bind /sys /chroot/jessie/sys mount --bind /dev /chroot/jessie/dev mount --bind /dev/pts /chroot/jessie/dev/pts End of script Give the script the privileges it needs to run and run it chmod 755 /home/admin/ cd /home/admin ./ Create the default root users home directory mkdir /chroot/jessie/home/admin optionally you may bind the existing gaia /home/admin directory to the chroot by adding the below line to the script mount --bind /home/admin /chroot/jessie/home/admin Enter the chroot chroot /chroot/jessie Configure the Chroot Set the dns server by adding a dns server of your preference to /etc/resolv.conf with vi add "nameserver $IPgoesHere" to the file Install vim because vi is terrible, the default repositories should be able to do this. apt update apt install vim add the gaia hostname to /etc/hosts see below for an example, my hostname is DOOM The first line of /etc/hosts should appear similar below but with your hostname127.0.0.1 localhost DOOM add a complete list of jessie repositories to /etc/apt/sources.list by matching the contents below using vim Start of sources.list deb jessie main non-free contrib deb-src jessie main non-free contrib deb jessie/updates main contrib non-free deb-src jessie/updates main contrib non-free End of sources.list Update the repository list using "apt update" Create a non-root user Install sudo apt install sudo create a new non-root user (in this case doom) adduser doom follow the prompts to set the password Add the new user to the sudo group usermod -aG sudo doom   Installing the desktop Ensure the debian software selection with the following command tasksel Using the arrow keys and space bar select "Debian Desktop Environment" & "Xfce" Use tab to select OK and enter to continue. Wait for the needed packages to install (this will take several minutes) You will be prompted to select your keyboard layout during this process, do so. Once complete you will be back at the terminal Installing the desktop will have overwritten /etc/resolv.conf reset the dns server by adding a dns server of your preference to /etc/resolv.conf with vim add "nameserver $IPgoesHere" to the file Installing the desktop may have overwritten the hostname inside the chroot test the hostname to see if its changed by using the hostname command if it has changed, change it back by using the hostname command example below hostname DOOM make sure to edit the /etc/hostname file to match so it survives reboot Install xrdp apt install xrdp exit the chroot (just type exit in the terminal) add the following line to the script chroot /chroot/jessie /etc/init.d/xrdp restart This will ensure xrdp is started properly when spawning the chroot Ensure that your firewall policy is either unloaded (fw unloadlocal) or add firewall rules that allow port 3389 re-add the full repository list as per the "Configure the Chroot" section, ensure you "apt update"   Login to the GUI and install DOOM RDP to an ip of the gateway that is reachable Use the default sesman-Xvnc module Provide the username and password (do not log in with root use the non-root user we created earlier) If all went well you should see the desktop Open a terminal and install DOOM sudo apt-get install doom-wad-shareware prboom Start DOOM /usr/games/prboom Doom running on a Gaia firewall, note the xfce4 and xrdp processes running in attached screenshot.      
Adrian_Pillo inside General Topics 5 hours ago
views 51 5

Add cluster state to gaia prompt - clish and bash

Bash prompt can be changed by setting env var PS1 to whatever you want. Same with clish executing clish -c "set clienv prompt <text>".   But how can I trigger cluster failover in order to place ACTIVE or STANDBY in my prompt? Yes management get's a log, we can have eMail, snmp oder script alerts on that event, but all just on management, not on gateway. Is there a way to execute scripts on gateway triggered by a cluster failover event?   Thanks 
inside General Topics 6 hours ago
views 1036 2 5

R80.30 Jumbo Hotfix Accumulator - New Ongoing Take #135

A new Ongoing Jumbo Hotfix Accumulator take for R80.30 (Take #135) is available. Please refer to sk153152 This take updates take 132 that was released on Jan 2. Thanks,  Release Management group 
inside General Topics 6 hours ago
views 40

R80.30 Jumbo Hotfix Accumulator - New Ongoing Take 136

A new Ongoing Jumbo Hotfix Accumulator take for R80.30 (Take 136) was released today and is available for download. Please refer to  sk153152 This take is updated take 135 (released on Jan 13)   Release Content:          PRJ-8216 - Management HA synchronization failure with the error message "failed to export data" on MDM/SMC environment with at least 3 machines.   Please note the following: The new releases is mentioned Jumbo SK: sk153152 The new releases will be published via CPUSE as a recommended version once it will be published as GA. Availability: o   Will be provided by customer support o   Available for download via CPUSE by using package identifier. For more information on Jumbo releases, please refer to this thread “R80.XX Jumbo Hotfix Accumulator - Did You Know?“  Thanks , Release Management Group
inside General Topics 7 hours ago
views 1381 3 17

R80.XX Jumbo Hotfix Accumulator - Did You Know?

Hi Everyone, My name is @Yifat_Chen   and I’m part of  the Release Operation group managed by @MeravAlon  Our group is responsible for Check Point major releases (e.g R80.20), minor releases (e.g R80.30) and Jumbo Hotfix Accumulator releases for R80.10, R80.20 & R80.30 trains. Following several recent conversations and questions from customers, I would like to provide some general  information regarding the Jumbo Hotfix (JHF) Accumulator: Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving issues in different products. For more information, see sk98028. Check Point  recommends that you install the latest GA Jumbo take on a regular basis. A new Jumbo take is usually released every 1-2 months. For a complete list of fixes in each Jumbo take, please refer to the following SKs: R80.10 JHF SK, R80.10 SmartConsole SK , R80.20 JHF SK , R80.20 SmartConsole SK , R80.30 JHF SK , R80.30 SmartConsole SK Every new Jumbo take has 2 phases: 1st -  Released as “Ongoing” - The main purpose of the “Ongoing” take is early adoption. 2nd – Published as “GA” - Recommended as a General Availability take. After 3-4 weeks, an “Ongoing” take is moved to GA status. If there is a problem with an “Ongoing” take, a new one will be released. A new JHF on the Management Server can be installed regardless of the Gateway server. There’s no requirement to align the Management and Gateway to use the same JHF take. (Note - All Management machines should have the same JHF take.) SmartConsole Jumbo HF is also released every 1-2 months. Note – there is no dependency between SmartConsole and Jumbo takes. Different takes of Jumbo can be used with each SmartConsole take. However – some features/fixes require an upgrade of both Jumbo and SmartConsole. Installing a JHF is not an upgrade process ! The installation of a JHF is simple  and doesn’t perform any changes in the Management Database. JHF  only replaces specific binaries with new fixes, However - a reboot may require after JHF installation  I’m tagging also: @Tsahi_Etziony  – R&D director of Product operation @MeravAlon  - Release Operation Group manager   Please don’t hesitate to contact us for any further questions regarding the Jumbo releases. Regards, Yifat Chen   
Kaspars_Zibarts inside General Topics 8 hours ago
views 457 11 2

First impressions R80.30 on gateway - one step forward one (or two back)

Ok, we were finally "forced" to go ahead and upgrade our gateways from R80.10 to R80.30 for fairly small things - we wanted to be ale to use O365 Updatable Object (instead of home grown scripts) and improve Domain (FQDN) object performance issues when all FWK cores were making DNS queries causing a lot of alerts (see Positive things - upgrades were smooth and painless - both on regular gateways and VSX. All regular gateways seems to be performing as before, but I have to be honest that they are "over-dimensioned" and having rather powerfull HW for the job - 5900 with 16 cores. VSX though threw couple of surprises. SXL medium path usage. CPU jumped from <30% to above 50% on the busiest VS that only has FW and IA blades enabled. Ok, there is also VPN but only one connection:             I haven't spent enough time digging into it but for some reason 1/3 of all connections took medium path whereas before in R80.10 it was nearly all fully accelerated. And most of it was HTTPS (95%) with next most used LDAP-SSL (2%) I used the SXL fast accelerator feature (thanks @HeikoAnkenbrand to exclude our proxies and some other nets and you can see that on friday CPU load was reduced by 10% but nowhere near what it used to be. I just find it impossible to explain why would gateway with only FW blade enabled start to to throw all (by the looks of it) traffic via PXL. And statistics are a bit funny too:   FQDN alerts in logs. I can definitely confirm that only one core now is doing DNS lookups (against all DNS server you have defined, in our case 2). But we are still getting a lot of alerts like these: Firewall - Domain resolving error. Check DNS configuration on the gateway (0)             Especially after I enabled updatable object for O365 in the rulebase. As said before - I have not spent too much time on this as we had other "fun" stuff to deal with on our chassis, so it's fairly "raw". I will report more once I had some answers  
Carsten_R inside General Topics yesterday
views 144 10

ARP table size of 131072 entires?

Hi,sk43772 says, that with R80.30, the ARP table size has been extended to 131072 entires. However, it's not working: The SK says nothing about any HW or RAM requirements, so my test device is only a VM with R80.30, Take 111. 
Shurik inside General Topics yesterday
views 63 1

Load Balancing for IPSEC VPN Tunnels

Hello guys, We're looking to implement Active/Active or Active/Standby VPN tunnels from our client (two locations) to our data centers (two locations). Would like to see if there is a way to create global load balancer (or something similar) to be able to manage (manually or automatically) what data center the traffic will go to. Any idea will be appreciated 🙂 Thanks 
Danny inside General Topics yesterday
views 74062 196 190

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!👍 Endorsed by Check Point Support! ccc is a menu-driven script to run common Check Point CLI tasks.License: GPL Installation (expert mode) or download:curl_cli -k | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc
SCSupport inside General Topics yesterday
views 231 9

Passing GRE traffic

Hello. Can someone advise exactly how Check Point stand with GRE support? I understand they can’t build or terminate GRE tunnels, but can they pass the traffic through? There is a VPN between 2 Cisco Routers who are trying to establish a tunnel however it isn’t coming up. After discussions, I realised they are using GRE over IPSEC VPN.I have now concluded that this is the reason why it’s not coming up. Any suggestions?
Lockout888 inside General Topics yesterday
views 407 6

Redirecting DNS

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to do I accomplish this in GAIA? 
SCSupport inside General Topics yesterday
views 209 2

Unable to download R80.40

Hi, Has something happened to the download link for R80.40?I have registered for the EA however when continuing through to the download link, it suggests that I havent registered or it can not find the link I am looking for? If anyone can help that would be great.
HeikoAnkenbrand inside General Topics yesterday
views 714 13 17

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
inside General Topics yesterday
views 10334 81 15

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.