Hello checkmates,
I have issue with checkpoint firewall R80.10 gaia Os ,we receive 12 mb from the ISP but when you connect checkpoint
firewall its reducing to 3.75 mb we tried to disable some blades but still didnt resolve the issue and we also engaged and had 3 hours session with checkpoint support engineers but that didnt solve any thing as they mentioned that we need to enable secure xl but again when we enable that we loose internet therefore what could be an issue and below is the report from the checkpoint support team.
As I promised, here are my detailed notes on what we did today, including environment, troubleshooting steps and next possible steps.
╔═════════════╗
║ ENVIRONMENT
╚═════════════╝
One firewall and one management Server, running R80.10
╔═════════════════╗
║ BUSINESS IMPACT / SEVERITY
╚═════════════════╝
Medium
╔═══════╗
║ ISSUE
╚═══════╝
Network speed drags when CheckPoint is introduced to the network.
╔═════════════════╗
║ TROUBLESHOOTING
╚═════════════════╝
Very low bandwith, when the CheckPoint is connected.
Before the CheckPoint, the bandwith was 10.86 and after adding the CheckPoint, the bandwith became 3.57.
Currently, the speed is 3.72.
The device is a 5000, running R80.10.
The enabled blades are General, Application Control, URL Filter, IPS and Anti-Bot.
Entered the firewall via Putty session.
Ran the command fw ctl zdebug drop | grep 172.16.0.87
No drops were observed.
Entered SmartDashboard.
Disabled the IPS blade as a test, since it has been known to cause problems with traffic in the past.
Attempted to push policy.
The Application Control and URL Filter have expired contratcs, that can not be fetched.
This is a possible issue.
Speed test after disabling the IPS blade is 4.34
Returned to SmartDashboard.
Opened the Policy and then the threat Prevention Policy.
Created an exception, which disabled Anti-Bot and IPS on the test PC (172.16.0.87).
The speed test was 4.79.
Disabled the Application Control and URL Filter as another test.
Installation of policy failed because Rule 9 contained Application Control.
Disbaled Rule 9.
Pushed policy.
Speed was 4.75.
Returned to SmartDashboard.
Disabled all blades but the General.
Pushed policy.
The speed remained 4.79
Returned to the Putty session.
Ran the command fw monitor -T -p all -e "accept host (172.16.0.87);"
No blade holds onto the packets for too long.
Could this be an interface issue?
The interface, leading to the internet is eth3.
Ethtool eth3 shows the interface is full duplex and with speed of 1000Mb/s.
Auto negociation is on.
Turned it off for testing purposes with the command ethtool -s eth3 autoneg off.
Speed test was 2.19.
Returned to the Putty session.
Ran the command top.
There is nothing unusual - the memory works well and the 3 CPUs are idle most of the time.
Ran the command cpinfo -y all.
The firewall is on Take 112.
There are newer takes but we would only upgrade if absolutely necessery.
Ran the command fwaccel stat.
SecureXL is DISABLED.
Enabled it with the command fwaccel on.
Enabling SecureXL stops the Internet.
Customer stopped SecureXL with the command fwaccel off.
Ran the command cpconfig.
SecureXL is enabled.
Ran the command fw accel stat.
Here, SecureXL is disabled.
Entered SmartDashboard.
Opened Logs and Monitoring.
There is no dropped traffic from the time of the issue.
Ran the command fw ctl affinity -l -r -v -a.
We see the following output:
CPU 0 at eth1,
CPU 1 at fw_2
CPU 2 at fw_1
CPU 3 at fw_0
A good next step to do is to install the newest Jumbo Hotfix Accumulator.
Provided the customer with Take 161, which we downloaded from the Support Center.
Entered the Gaia WebUI.
Opened CPUSE and then Status and Action.
Clicked on Upload package and uploaded the provided jumbo - Take 161.
Take 161 was successfully uploaded.
Right-clicked the Take 161 and tried to install the Take.
The Take can not install since we can not UNinstall Take 121 because of the SMACK Take.
Uninstalled the Smack Take.
Successfully managed to install Take 161.
However, on top of the Gaia WebUI's CPUSE, there is a message: "Your currently installed license is not entitled to receive udpates from Check Point Download Center."
Entered the firewall via Putty session.
Ran the command cplic print -x.
All the contracts on the box have expired.
Entered SmartDashboard.
Opened Manage licenses and packages.
Chose File - Licenses and Contracts - Contracts - Update contracts from the User Center.
Customer put in his username and password.
Internet is still down.
Entered the firewall via Putty session.
Entered cpconfig.
Disabled SecureXL.
Internet is back up but the speed is around 4.10.
╔════════════╗
║ NEXT STEPS
╚════════════╝
There is some trouble, since SecureXL brings the Internet down.
Secure XL should NOT be interfering with the Internet, it should be increasing speed.
Possible next steps include:
- Start a remote session.
- Note the time of the session.
- Enabled SecureXL. Be preapred for Internet to go down.
- Ask customer to run the command fw ctl zdebug drop | grep [IP], as well as top and tcpdump on eth3.
- All of this would tell us why exactly Secure XL is bringing the Internet down.
- This is a SecureXL issue.